Possible Hacking Attempt?

[rjuli...@gmail.com]

Hello....

My local application has a web server component, and I have left it running

for the last couple of days, to allow a third party (with whom I am co-developing

a feature) to consume my web services (using HTTPS Get Requests).

These all seem to work flawlessly.

But this morning, I noticed some odd transcript messages similar to this...

2020/09/19 08:21:22.661|WARNING|Worker 83387|SstReceiveError('Connection negotiation failed with peer: https://195.54.161.136:63118; SSL handshake error: INTERNAL_ERROR (336027900): Unknown error

OpenSSLError

Error Code: 336027900

Error Object: (''unknown protocol'')

Error String: ''error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol''

Error Hint: ''SSL23_GET_CLIENT_HELLO:unknown protocol''

AuxiliaryData: nil')

Is it possible that this is some OTHER party, who has somehow

noticed that I have an open and forwarded port trying to hack in?

I'm running VAST 9.2.1 on Windows 10.

I am using Dynamic DNS to provide my address to the third party,

and in my router config, I have a port set to be forwarded to my

development computer

Any thoughts?

Best Regards,

Julian Ford

[Hans-Martin Mosner]

Port scanning on all kinds of IP addresses (fixed and residential) happens all the time. It can be alleviated a little bit by using an unusual port for the service, but even that is not guarantee.

The page at AbuseIPDB shows that this IP address is a prolific source of network abuse: https://www.abuseipdb.com/check/195.54.161.136

Given the frequency of attacks and apparent inability or unwillingness of the hosting provider to shut down the abusive server, it may be reasonable to block that IP range (195.54.160.0/23) in the router, but of course that will prevent hacking attempts only from that data center, not from the thousands others.

Cheers,

Hans-Martin

[Esteban Maringolo]

Another alternative is to put something like Cloudflare in front of
your service, then the traffic is routed by them, and they do protect
you from DDoS and similar abuses.

Esteban A. Maringolo

> --
> You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to va-smalltalk...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/va-smalltalk/de3d5a2c-a617-46f8-8723-9bbfe19a105an%40googlegroups.com.

[jerry....@gmail.com]

Hi Julian,

I concur with both posts above. I would also add that for applications that serve only a limited user audience, you should always ALLOW a specific white-listed range of IPs, and DENY all others. If your app resides behind a revers proxy (as I would recommend), it's easy to configure. It's probably not difficult to set up in VA/St if you serve the app directly as you do.

For non-development scenarios, other professional hosting services (nor just Cloudflare) include DOS attack monitoring and will quarantine your traffic when they detect an attack.

Lastly, I would recommend having a periodic professional penetration test done by a certified ethical hacker who also happens to know Smalltalk (nudge nudge, wink wink) :D

Hope all is going well, and you and the family stay safe.

Jerry Kott.

[rjuli...@gmail.com]

Thank you, guys....all 3 of these posts provided great information and insight.

Jerry...good idea about a penetration test.  I will keep that in mind for sure!

Fortunately, it seems that the connection was unable to access anything anyway,

but still something to be very wary of, obviously!

Regards,

Julian

P.S.  Everyone safe and healthy here, Jerry...thanks!  I hope all is well with your clan too!